Mess with the Bull, Get the Horn

Minotaur is a boot2root CTF. Once you load the VM, treat it as a machine you can see on the network, i.e. you don't have physical access to this machine. Therefore, tricks like editing the VM's BIOS or Grub configuration are not allowed. Only remote attacks are permitted. There are a few flag.txt files around to grab. /root/flag.txt is your ultimate goal."

Let’s get hacking! First up, where is Minotaur hiding? Usually I would run arp or netdiscover to find the victim, however it’s not broadcasting that I can see. Let’s try ping sweeping:

I cancelled this bruteforce attempt as the dictionary attack was going to take far too long. Looking at the CTF notes, we have these hints:

== Hints ==

This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.

Let’s try generating our own dictionary file based on the website’s content:

After about one minute, we get heffer’s password. Let’s log on and see what we have:

1

2

3

4

5

6

7

8

9

10

11

12

root@omerta:~# ssh heffer@192.168.56.223

---snip---

heffer@minotaur:~$ ls -al

total 28

drwx------ 3 heffer heffer 4096 May 27 2015 .

drwxr-xr-x 5 root root 4096 May 27 2015 ..

lrwxrwxrwx 1 heffer heffer 9 May 27 2015 .bash_history -> /dev/null

-rw-r--r-- 1 heffer heffer 220 May 27 2015 .bash_logout

-rw-r--r-- 1 heffer heffer 3637 May 27 2015 .bashrc

drwx------ 2 heffer heffer 4096 May 27 2015 .cache

-rw------- 1 heffer heffer 107 May 27 2015 flag.txt

-rw-r--r-- 1 heffer heffer 675 May 27 2015 .profile

Another flag! This time heffer’s:

1

2

3

heffer@minotaur:~$ cat flag.txt

So this was an easy flag to get, hopefully. Have you gotten ~minotaur/flag.txt yet?

Th3 fl@G 15: m00000 y0

First thing I always do is check if a user has sudo access, but in this case heffer has nothing exciting. I spend a couple of minutes pottering around the file system, only to be interrupted by john finding a second password. This time, minotaur’s. Let’s see what minotaur has to offer: